Just in case you're still depending on a Russian vendor for your cybersecurity, the Commerce Department has banned Kaspersky Labs from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons.
The Final Determination by the Bureau of Industry and Security (BIS) is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS).
Kaspersky will generally no longer be able to sell its software within the United States or provide updates to software already in use.
In addition to this action, BIS added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives. Founder and CEO Yevgeny Valentinovich Kaspersky denies any cooperation with Russian intelligence.
In a related move, Friday Treasury’s Office of Foreign Assets Control (OFAC) designated twelve individuals in executive and senior leadership roles at AO Kaspersky Lab (Kaspersky Lab). OFAC has not designated Kaspersky Lab, its parent or subsidiary companies, or its CEO.
Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination.
In order to minimize disruption to U.S. consumers and businesses and to give them time to find suitable alternatives, the Department’s determination will allow Kaspersky to continue certain operations in the United States—including providing anti-virus signature updates and codebase updates—until 12:00AM Eastern Daylight Time (EDT) on September 29, 2024.
“The Russian Government has proven that it has the capability and intent to exploit Russian companies like Kaspersky to collect sensitive U.S. personal information and compromise the systems and networks that use these products,” said Elizabeth Cannon, Executive Director of the Office of Information and Communications Technology and Services. “The Department of Commerce stands ready to assist U.S. businesses and individual consumers across the country to respond appropriately to today’s action.”
The Final Determination finds ICTS transactions involving such products and services, such as the ability to gather valuable U.S. business information, including intellectual property, and to gather U.S. persons’ sensitive data for malicious use by the Russian Government, pose an undue or unacceptable national security risk and therefore prohibits continued transactions involving Kaspersky’s products and services.
BIS has determined that Kaspersky poses an undue or unacceptable risk to national security for the following reasons:
"Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted 3rd party, Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services," said the company in a statement.
Yevgeny "Eugene" Kaspersky graduated from The Technical Faculty of the KGB Higher School in 1987 with a degree in mathematical engineering and computer technology. [His firm's website only mentions a later honorary degree from a UK university.]
His interest in IT security began when his KGB computer was infected with the Cascade virus in 1989 and he developed a program to remove it.
Kaspersky provides IT security solutions—including tools meant to defend against cyberthreats, such as malware, spam, hackers, distributed denial of services attacks, cyber espionage tools, and cyber weapons that target critical infrastructure—to home computer users, small companies, large corporations, and governments.
Kaspersky is a multinational company with offices in 31 countries, servicing users in over 200 countries and territories. Kaspersky provides cybersecurity and anti-virus products and services to over 400 million users and 270,000 corporate clients globally.
The U.S. Government previously took action against Kaspersky in 2017, when the Department of Homeland Security issued a directive requiring federal agencies to remove and discontinue use of Kaspersky-branded products on federal information systems. Additionally, the National Defense Authorization Act (NDAA) for Fiscal Year 2018 prohibited the use of Kaspersky by the Federal Government.
In addition, in March 2022, the U.S. Federal Communications Commission added to its “List of Communications Equipment and Services that Pose a Threat to National Security” information security products, solutions, and services supplied, directly or indirectly, by Kaspersky. Today’s determination by the Department is the latest U.S. Government action in an ongoing effort to protect U.S. citizens’ national security.
Commerce Secretary Gina Raimondo urged U.S. customers “in the strongest possible terms” to stop using the firm's software.
“Russia has shown it has the capacity and … the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action that we’re taking today,”
As noted, OFAC has not designated Kaspersky Lab, its parent or subsidiary companies, or its CEO. Friday's action was limited to twelve executives who report to Yevgeny Kaspersky, including the firm's
Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.
Additional information about the Commerce action and publicly available resources can be found at [oicts.bis.gov/kaspersky] and Frequently Asked Questions (FAQs) page.
The text of the Final Determination and a non-exhaustive list of prohibited products and services are available in the Federal Register [cited below]
Comments
No comments on this item Please log in to comment by clicking here